Cybercriminals are currently mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign.

Upon execution, it attempts to connect to the following domains:192.5.5.241ser.foryourcatonly.comser.luckypetspetsitting.comdechotheband.grbarisdogalurunler.comalpertarimurunleri.comoneglobalexchange.comrumanas.orgwww.10130138.wavelearn.devisiosofttechnologies.comsgisolution.com.brplusloinart.bemarengoit.pl

It then downloads additional malicious payload from the following URLs:hxxp://dechotheband.gr/5Wjm3iV2.exehxxp://barisdogalurunler.com/9BMu2.exehxxp://alpertarimurunleri.com/rRq.exehxxp://oneglobalexchange.com/19J.exe – ACTIVEhxxp://rumanas.org/1vAWoxz3.exehxxp://www.10130138.wavelearn.de/4pxp.exehxxp://visiosofttechnologies.com/iDm9vs.exehxxp://sgisolution.com.br/jq5.exe – ACTIVEhxxp://plusloinart.be/Ue7cHNm.exe – ACTIVEhxxp://marengoit.pl/ZBrBpBh2.exe

The following MD5 also downloaded in the campaign is known to have phoned back to the following C&C server:MD5: 2FC39B95A36BDD61C44BAAD205BCC2EC – detected by 30 out of 44 antivirus scanners as VirTool:Win32/CeeInject

The following malicious domain responds to the same IP:updateswindowspc.net

The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past:warrantynetwork.co.in – MD5: c80c3e16b17309fbcabdd402649faab5 is known to have phoned back there – detected by 33 out of 44 antivirus scanners as Trojan:Win32/Grymegat.Bamendenhancements.net.in – MD5: B1206CB15B85DDBF6FC411FE9C1FB808 is known to have phoned back there – detected by 17 out of 44 antivirus scanners as Trojan:Win32/Grymegat.Bhomedrakx.net.in